What happened
American Lending Center, a California-based non-bank lender managing a $3 billion portfolio of government-guaranteed small business loans, has notified more than 123,000 individuals of a data breach stemming from a ransomware attack detected in July 2025. The forensic investigation was not completed until April 8, 2026, nearly nine months after the initial discovery.
The investigation confirmed that a threat actor compromised ALC’s internal network, executed a ransomware attack, and accessed files that may have contained personally identifiable information including names, dates of birth, and Social Security numbers. ALC stated it has found no evidence that the potentially compromised information has been misused. No known ransomware group has publicly claimed responsibility for the attack, which may indicate a ransom was paid or that the responsible group does not operate a public leak site.
Who is affected
More than 123,000 individuals whose personal and financial information was held in ALC’s systems face potential exposure of names, dates of birth, and Social Security numbers. Given ALC’s focus on small business lending, affected individuals likely include business owners and their associates who applied for or received government-guaranteed loans.
Why CISOs should care
The nearly nine-month gap between detection and completed investigation is the most significant operational detail in this disclosure. For a financial institution holding SSNs and sensitive lending data on over 123,000 individuals, that timeline creates a prolonged window during which affected individuals had no ability to take protective action. State breach notification laws in California and elsewhere define maximum notification timelines from the date of discovery, not the date the investigation concludes, making extended investigation periods a regulatory risk as much as a security one.
The absence of a public ransomware claim also leaves the question of data disposition unresolved. When ransomware groups do not publish data, it can indicate payment, but it can equally indicate the data is being held or sold through private channels not visible through public leak site monitoring.
3 practical actions
- Establish investigation SLAs that run parallel to notification clock obligations: California and most states require breach notification within a defined period of discovery, not investigation completion. Build forensic investigation timelines that include interim notification triggers when the scope of exposure can be reasonably estimated, rather than waiting for full investigation completion before beginning notification.
- Implement monitoring for SSN and financial identifier exposure on dark web and private criminal marketplaces: The absence of a public ransomware claim does not mean the data is secure. Dark web monitoring that covers private sales channels and not just public leak sites provides broader visibility into whether ALC customer data has entered circulation.
- Review ransomware detection and response capabilities to compress dwell time before encryption: A ransomware attack detected in July 2025 with a nine-month investigation timeline suggests the attacker had significant network access before the encryption event. Prioritize detection capabilities that identify pre-ransomware staging activity including lateral movement, credential theft, and bulk file access rather than relying on encryption as the detection trigger.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.